SAP Security Patch Day – February 2026
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As we move further into February, the realities of a new year are already setting in. And SAP security should be high on that priority list! Patch volumes remain consistently high, reinforcing that postponing security updates is not an option. Applying patches promptly continues to be one of the most effective ways to reduce exposure to known vulnerabilities and limit attack surfaces across SAP landscapes.
This month’s SAP Security Patch Day underlines that point once again. SAP released 29 Security Notes (including updates and interim releases), resulting in a substantial workload for security and basis teams early in the year. This touches the ‘record high’ we saw in July 2025 and this volume highlights that there is no “slow start” when it comes to SAP security. Below, we break down the most relevant notes from this release and outline what they mean for your SAP environment.
SAP environments are becoming increasingly dynamic, spanning on-premise systems, cloud services, and hybrid architectures. This complexity turns patch management into much more than a simple update exercise. With countless components and tightly coupled dependencies, the patching process is often slow, resource-intensive, and vulnerable to human error. Making it all too easy for critical fixes to be missed. At SecurityBridge, we understand these challenges better than anyone. Our SecurityBridge Patch Management for SAP solution helps you identify missing patches across your SAP landscape, delivering clear visibility, impact analysis, and automated implementation. With a system-wide overview, it dramatically shortens the time needed to apply updates and monitor threats in real time—helping you to continue 2026 with a more secure and resilient SAP environment.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform — we’re also deeply invested in ongoing research within the SAP security domain.
For this month’s release, our latest discoveries are:
- High priority: note 3705882 – [CVE-2026-24322] Missing Authorization check in SAP Solution Tools Plug-In (ST-PI)
- Medium priority: note 3691645 – [CVE-2026-0486] Missing Authorization Check in ABAP based SAP systems
- Medium priority: note 3680416 – [CVE-2026-23681] Missing Authorization check in a function module in SAP Support Tools Plug-In
- Medium priority: note 3678009 – [CVE-2026-24326] Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations)
Security notes - February 2026
HotNews
Let’s start with HotNews, the highest-priority category. There are 3 notes in total — 2 newly released today and 1 minor update.
3697099 — CRM & S/4HANA Scripting Editor: allowlist bypass enables critical function execution (incl. SQL)
An authenticated attacker can abuse a generic function module and execute arbitrary SQL statements. In essence, that is a full database compromise with broad impact on confidentiality, integrity, and availability. SAP’s patch hardens the logic with additional allowlist checks to prevent arbitrary FM calls. A workaround is available by deactivating the affected SICF services but the actual fix is provided by the patch. See also the FAQ note 3709553.
3674774 — NetWeaver AS ABAP / ABAP Platform: background RFC can bypass required S_RFC authorization
A low-privileged authenticated user can perform background RFC operations without the required S_RFC authorization. This can lead to a serious impact on integrity and availability. Kernel patches are released for basically all supported ABAP kernels from kernel version 7.22 – 9.16. Take note of the patching instructions, this is not a kernel patch to just apply and restart! Additional S_RFC permissions may be required for users. See FAQ note 3676372 for detailed instructions.
3697979 — SAP Landscape Transformation: code/OS command injection via RFC-exposed module
SecurityBridge proudly reported this vulnerability and the patch was first released as part of the January 2026 cycle. For this month, the update concerns a minor change (externally reported: yes). No new actions required from customers.
High-Priority Notes
We have 7 High-priority notes this month which have all been newly released. Although these are 1 category below HotNews, they are still important. We highlight the following notes below:
3692405 — SAP Commerce Cloud: outbound SSL trust validation bypass
In SAP Commerce Cloud, under certain conditions, an authenticated user can exploit a so-called ‘race condition’ in the Jersey library (CVE-2025-12383). This leads to bypass of the SSL trust validation for outbound connections, creating a high confidentiality/integrity risk. Note that this is only relevant for custom extensions as the standard SAP configuration does not use Jersey for outbound connections.
Business Objects platform
The following high notes concern the Business Objects platform:
3654236 — BusinessObjects BI Platform: unauthenticated DoS via trusted endpoint
A remote attacker can trigger an availability failure against a BI Platform endpoint in a way that breaks the trust/authentication flow and locks out legitimate users.
3678282 — BusinessObjects BI Platform: unauthenticated DoS (CMS crash/restart loop)
Another BusinessObjects availability problem but with a particularly practical failure mode: specially crafted requests can crash and auto-restart the CMS, and repeating them can keep the CMS persistently down. There is a workaround but patching is – as always recommended. See also note 3695912 for a similar DoS vulnerability on this platform.
3674246 — BusinessObjects BI Platform: open redirect (malicious URL insertion + user click)
An authenticated attacker with high privileges can insert a malicious URL and eventually download malicious content. SAP mitigates this by implementing server-side whitelisting to prevent unvalidated redirects.
Medium- and Low-Priority Notes
This Patch Tuesday, 19 notes fall into the Medium or Low category. See below for some highlights and for a full breakdown, scroll to the end of this post.
3679346 — SAP Business One client: credentials may be exposed in memory dump files
Dump files can contain credentials without proper obfuscation, so if an attacker obtains these dumps they may gain unauthorized access and the ability to perform unauthorized operations. With the patch, SAP reduces the risk by ensuring credentials are no longer stored in process memory.
Note: additional security measures are listed which are highly recommended to consider!
3678313 — Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)
This note describes another memory-related issue, where memory content can be accessed and used for further exploitation. The kernel patch fixes this issue.
SAP Security Notes February 2026
Highlights
An almost record-high number of security notes for February 2026. Many fixes concern the ABAP and Business Objects platform (among others).
Summary by Severity
The February release contains a total of 29 patches for the following severities:
| Severity | Number | Hot News | 3 |
|---|---|
High | 7 |
Medium | 17 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3697099 | [CVE-2026-0488] Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) Priority: HotNews Released on: 2/10/26 Components: CRM-IC-FRW Category: Program error | Hot News | 9.9 |
| 3674774 | [CVE-2026-0509] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: HotNews Released on: 2/10/26 Components: BC-MID-RFC Category: Program error | Hot News | 9.6 |
| 3697979 | [CVE-2026-0491] Code Injection vulnerability in SAP Landscape Transformation Priority: HotNews Released on: 1/13/26 Components: CA-DT-ANA Category: Program error | Hot News | 9.1 |
| 3697567 | [CVE-2026-23687] XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform Priority: Correction with high priority Released on: 2/10/26 Components: BC-SEC-WSS Category: Program error | High | 8.8 |
| 3703092 | [CVE-2026-23689] Denial of service (DOS) in SAP Supply Chain Management Priority: Correction with high priority Released on: 2/10/26 Components: SCM-APO-CA-COP Category: Program error | High | 7.7 |
| 3705882 | [CVE-2026-24322] Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) Priority: Correction with high priority Released on: 2/10/26 Components: SV-SMG-SDD Category: Program error | High | 7.7 |
| 3678282 | [CVE-2026-0485] Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform Priority: Correction with high priority Released on: 2/10/26 Components: BI-BIP-SRV Category: Program error | High | 7.5 |
| 3654236 | [CVE-2026-0490] Denial of service (DOS) in SAP BusinessObjects BI Platform Priority: Correction with high priority Released on: 2/10/26 Components: BI-BIP-SRV Category: Program error | High | 7.5 |
| 3692405 | [CVE-2025-12383] Race Condition in SAP Commerce Cloud Priority: Correction with high priority Released on: 2/10/26 Components: CEC-SCC-PLA-PL Category: Program error | High | 7.4 |
| 3674246 | [CVE-2026-0508] Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with high priority Released on: 2/10/26 Components: BI-BIP-SEC Category: Program error | High | 7.3 |
| 3695912 | [CVE-2026-24324] Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools) Priority: Correction with medium priority Released on: 2/10/26 Components: BI-BIP-SRV Category: Program error | Medium | 6.5 |
| 3672622 | [CVE-2026-0484] Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA Priority: Correction with medium priority Released on: 2/10/26 Components: BC-DWB-CEX-CF Category: Program error | Medium | 6.5 |
| 3688319 | [CVE-2026-24328] Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) Priority: Correction with medium priority Released on: 2/10/26 Components: SV-SMG-TWB-CBT Category: Program error | Medium | 6.1 |
| 3678417 | [CVE-2026-0505] Multiple vulnerabilities in BSP Applications of SAP Document Management System Priority: Correction with medium priority Released on: 2/10/26 Components: CA-DMS-OP Category: Program error | Medium | 6.1 |
| 3503138 | [CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Priority: Correction with medium priority Released on: 1/14/25 Components: BC-FES-WGU Category: Program error | Medium | 6.0 |
| 3689543 | [CVE-2026-23684] Race condition vulnerability in SAP Commerce Cloud Priority: Correction with medium priority Released on: 2/10/26 Components: CEC-SCC-COM-BC-OCC Category: Program error | Medium | 5.9 |
| 3679346 | [CVE-2026-24319] Information Disclosure Vulnerability in SAP Business One (B1 Client Memory Dump Files) Priority: Correction with medium priority Released on: 2/10/26 Components: SBO-CRO-SEC Category: Program error | Medium | 5.8 |
| 3687771 | [CVE-2026-24321] Information Disclosure vulnerability in SAP Commerce Cloud Priority: Correction with medium priority Released on: 2/10/26 Components: CEC-SCC-COM-BC-OCC Category: Program error | Medium | 5.3 |
| 3710111 | [CVE-2026-24312] Missing authorization check in SAP Business Workflow Priority: Correction with medium priority Released on: 2/10/26 Components: BC-BMT-WFM Category: Program error | Medium | 5.2 |
| 3691645 | [CVE-2026-0486] Missing Authorization Check in ABAP based SAP systems Priority: Correction with medium priority Released on: 2/10/26 Components: SV-SMG-SDD Category: Program error | Medium | 5.0 |
| 3697256 | [CVE-2026-24325] Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console) Priority: Correction with medium priority Released on: 2/10/26 Components: BI-BIP-CMC Category: Program error | Medium | 4.8 |
| 3687285 | [CVE-2026-23685] Insecure Deserialization vulnerability in SAP NetWeaver (JMS service) Priority: Correction with medium priority Released on: 2/10/26 Components: BC-JAS-JMS Category: Program error | Medium | 4.4 |
| 3122486 | [CVE-2026-23683] Missing Authorization check in SAP Fiori App (Intercompany Balance Reconciliation) Priority: Correction with medium priority Released on: 1/27/26 Components: FI-LOC-FI-RU Category: Correction of legal function | Medium | 4.3 |
| 3215823 | [CVE-2026-23688] Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services) Priority: Correction with medium priority Released on: 2/10/26 Components: MM-PUR-SVC-SES Category: Program error | Medium | 4.3 |
| 3678009 | [CVE-2026-24326] Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations) Priority: Correction with medium priority Released on: 2/10/26 Components: IS-DFS-BIT Category: Program error | Medium | 4.3 |
| 3680390 | [CVE-2026-24327] Missing Authorization Check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application) Priority: Correction with medium priority Released on: 2/10/26 Components: FIN-SEM-CPM-BSC Category: Program error | Medium | 4.3 |
| 3680416 | [CVE-2026-23681] Missing Authorization check in a function module in SAP Support Tools Plug-In Priority: Correction with medium priority Released on: 2/10/26 Components: SV-SMG-SDD Category: Program error | Medium | 4.3 |
| 3673213 | [CVE-2026-23686] CRLF Injection vulnerability in SAP NetWeaver Application Server Java Priority: Correction with low priority Released on: 2/10/26 Components: BC-MID-CON-JCO Category: Program error | Low | 3.4 |
| 3678313 | [CVE-2026-24320] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) Priority: Correction with low priority Released on: 2/10/26 Components: BC-CST-IC Category: Program error | Low | 3.1 |
